Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


grkiwi

68 posts

Master Geek


#77596 18-Feb-2011 10:07
Send private message

Hi all,

I had a strange call this morning with no voice at the other end, and went into the logs and had a look. It turns out there are 2 IP's that have in some way gotten into the system, although I am running fail2ban with iptables!
Since I am not an Asterisk guru, can anyone please explain if the logs below are of suspicious activity, and if yes what can I do to lock them out??

Here is the Asterisk log with their attemps....

[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-sip-external:1] NoOp("SIP/63.247.141.210-08d257e0", "Received in
coming SIP connection from unknown peer to 00011442073479999") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-sip-external:2] Set("SIP/63.247.141.210-08d257e0", "DID=00011442
073479999") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-sip-external:3] Goto("SIP/63.247.141.210-08d257e0", "s|1") in ne
w stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Goto (from-sip-external,s,1)
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/63.247.141.210-08d257e0", "1?from-trunk|000114420734
79999|1") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Goto (from-trunk,00011442073479999,1)
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-trunk:1] NoOp("SIP/63.247.141.210-08d257e0", "Catch-All DID Matc
h - Found 00011442073479999 - You probably want a DID for this.") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [00011442073479999@from-trunk:2] Goto("SIP/63.247.141.210-08d257e0", "ext-did|s|1") in n
ew stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Goto (ext-did,s,1)
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:1] Set("SIP/63.247.141.210-08d257e0", "__FROM_DID=s") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:2] Gosub("SIP/63.247.141.210-08d257e0", "app-blacklist-check|s|1") in new sta
ck
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@app-blacklist-check:1] LookupBlacklist("SIP/63.247.141.210-08d257e0", "") in new stac
k
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@app-blacklist-check:2] GotoIf("SIP/63.247.141.210-08d257e0", "0?blacklisted") in new
stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@app-blacklist-check:3] Return("SIP/63.247.141.210-08d257e0", "") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:3] ExecIf("SIP/63.247.141.210-08d257e0", "0 |Set|CALLERID(name)=asterisk") in
 new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:4] SetMusicOnHold("SIP/63.247.141.210-08d257e0", "acc_1") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:5] Set("SIP/63.247.141.210-08d257e0", "__MOHCLASS=acc_1") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:6] Set("SIP/63.247.141.210-08d257e0", "FAX_RX=110") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:7] Set("SIP/63.247.141.210-08d257e0", "FAX_RX_EMAIL=9619625@gmail.com") in ne
w stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:8] Answer("SIP/63.247.141.210-08d257e0", "") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:9] PlayTones("SIP/63.247.141.210-08d257e0", "ring") in new stack
[2011-02-18 07:16:26] VERBOSE[25340] logger.c:     -- Executing [s@ext-did:10] NVFaxDetect("SIP/63.247.141.210-08d257e0", "0|t") in new stack
[2011-02-18 07:16:26] DEBUG[25340] app_nv_faxdetect.c: Preparing detect of fax (waitdur=4ms, sildur=1000ms, mindur=100ms, maxdur=-1ms)
[2011-02-18 07:16:27] DEBUG[25340] app_nv_faxdetect.c: Got hangup
[2011-02-18 07:16:27] VERBOSE[25340] logger.c:   == Spawn extension (ext-did, s, 10) exited non-zero on 'SIP/63.247.141.210-08d257e0'


and


[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-sip-external:1] NoOp("SIP/194.28.112.33-08d23150", "Received inc
oming SIP connection from unknown peer to 00011442073479999") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-sip-external:2] Set("SIP/194.28.112.33-08d23150", "DID=000114420
73479999") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-sip-external:3] Goto("SIP/194.28.112.33-08d23150", "s|1") in new
 stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Goto (from-sip-external,s,1)
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/194.28.112.33-08d23150", "1?from-trunk|0001144207347
9999|1") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Goto (from-trunk,00011442073479999,1)
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-trunk:1] NoOp("SIP/194.28.112.33-08d23150", "Catch-All DID Match
 - Found 00011442073479999 - You probably want a DID for this.") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [00011442073479999@from-trunk:2] Goto("SIP/194.28.112.33-08d23150", "ext-did|s|1") in ne
w stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Goto (ext-did,s,1)
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:1] Set("SIP/194.28.112.33-08d23150", "__FROM_DID=s") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:2] Gosub("SIP/194.28.112.33-08d23150", "app-blacklist-check|s|1") in new stac
k
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@app-blacklist-check:1] LookupBlacklist("SIP/194.28.112.33-08d23150", "") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@app-blacklist-check:2] GotoIf("SIP/194.28.112.33-08d23150", "0?blacklisted") in new s
tack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@app-blacklist-check:3] Return("SIP/194.28.112.33-08d23150", "") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:3] ExecIf("SIP/194.28.112.33-08d23150", "0 |Set|CALLERID(name)=asterisk") in
new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:4] SetMusicOnHold("SIP/194.28.112.33-08d23150", "acc_1") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:5] Set("SIP/194.28.112.33-08d23150", "__MOHCLASS=acc_1") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:6] Set("SIP/194.28.112.33-08d23150", "FAX_RX=110") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:7] Set("SIP/194.28.112.33-08d23150", "FAX_RX_EMAIL=9619625@gmail.com") in new
 stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:8] Answer("SIP/194.28.112.33-08d23150", "") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:9] PlayTones("SIP/194.28.112.33-08d23150", "ring") in new stack
[2011-02-18 07:22:13] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:10] NVFaxDetect("SIP/194.28.112.33-08d23150", "0|t") in new stack
[2011-02-18 07:22:13] DEBUG[25365] app_nv_faxdetect.c: Preparing detect of fax (waitdur=4ms, sildur=1000ms, mindur=100ms, maxdur=-1ms)
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:11] Set("SIP/194.28.112.33-08d23150", "__CALLINGPRES_SV=allowed_not_screened"
) in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:12] SetCallerPres("SIP/194.28.112.33-08d23150", "allowed_not_screened") in ne
w stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@ext-did:13] Goto("SIP/194.28.112.33-08d23150", "timeconditions|2|1") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Goto (timeconditions,2,1)
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [2@timeconditions:1] GotoIfTime("SIP/194.28.112.33-08d23150", "08:00-17:00|mon-fri|1-31|
jan-dec?ext-group|600|1") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [2@timeconditions:2] Goto("SIP/194.28.112.33-08d23150", "ext-group|601|1") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Goto (ext-group,601,1)
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [601@ext-group:1] Macro("SIP/194.28.112.33-08d23150", "user-callerid|") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:1] Set("SIP/194.28.112.33-08d23150", "AMPUSER=asterisk") in new s
tack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: Set
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:2] GotoIf("SIP/194.28.112.33-08d23150", "0?report") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: GotoIf
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:3] ExecIf("SIP/194.28.112.33-08d23150", "1|Set|REALCALLERIDNUM=asterisk") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: ExecIf
[2011-02-18 07:22:18] DEBUG[25365] func_db.c: DB: DEVICE/asterisk/user not found in database.
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:4] Set("SIP/194.28.112.33-08d23150", "AMPUSER=") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: Set
[2011-02-18 07:22:18] DEBUG[25365] func_db.c: DB: AMPUSER//cidname not found in database.
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:5] Set("SIP/194.28.112.33-08d23150", "AMPUSERCIDNAME=") in new stack
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: Set
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:6] GotoIf("SIP/194.28.112.33-08d23150", "1?report") in new stack
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Goto (macro-user-callerid,s,10)
[2011-02-18 07:22:18] DEBUG[25365] app_macro.c: Executed application: GotoIf
[2011-02-18 07:22:18] VERBOSE[25365] logger.c:     -- Executing [s@macro-user-callerid:10] GotoIf("SIP/194.28.112.33-08d23150", "0?continue") in new stack


Does anyone know what the intruder is trying to do?


Thnks all for the help!

Create new topic
Oblivian
7017 posts

Uber Geek

ID Verified

  #441065 18-Feb-2011 11:02
Send private message

You know all those threads/news about random cold calls from computer fixing companies...

A lot of them work by hacking PABX/SIP trunks and dialling out local calls to connect them to india etc ;)

not saying this is whats happening here (im no Voip/SIP expert), but its quite likely an attempt at such?

 
 
 

Shop Mighty Ape for electronics, games, computers books and more (affiliate link).
grkiwi

68 posts

Master Geek


  #441069 18-Feb-2011 11:06
Send private message

Just realized I had

PBX->PBX Configuration->Allow anonymous inbound SIP calls to YES

Changed to NO now... let's see if this keeps them out...

Oblivian
7017 posts

Uber Geek

ID Verified

  #441074 18-Feb-2011 11:11
Send private message

Oh my.

Google the incomming number minus a 0. Quite a few hits

http://www.networksystemssolutions.eu/voipblocklist.php



grkiwi

68 posts

Master Geek


  #441084 18-Feb-2011 11:17
Send private message

Looks like 194.28.112.33 is an IP that actually does SIP hacking... S$!t!!!
I will keep an eye on it and see what is happening...

dolsen
1449 posts

Uber Geek

Trusted
Lifetime subscriber

  #441099 18-Feb-2011 11:37
Send private message

Have a look at your call records on viewbill to see what they have done.

grkiwi

68 posts

Master Geek


  #441103 18-Feb-2011 11:47
Send private message

Unfortunately I haven't got acess to viewbill.
I don't see any calls made on my Asterisk logs though...

freitasm
BDFL - Memuneh
77098 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #441111 18-Feb-2011 12:01
Send private message

Also, mind you, if any outcalls were made you are responsible for them, in terms of costs (http://www.geekzone.co.nz/forums.asp?forumid=95&topicid=57078)




Please support Geekzone by subscribing, or using one of our referral links: Dosh referral: 00001283 | Sharesies | Goodsync | Mighty Ape | Backblaze

 

freitasm on Keybase | My technology disclosure

 

 

 

 

 

 




grkiwi

68 posts

Master Geek


  #441112 18-Feb-2011 12:02
Send private message

I am aware of that... That's why I am looking into it!!! :-)

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #441114 18-Feb-2011 12:10
Send private message

grkiwi: Just realized I had

PBX->PBX Configuration->Allow anonymous inbound SIP calls to YES

Changed to NO now... let's see if this keeps them out...


Setting this to YES is the simplest way to get hacked. Many people set it to yes because they can't get their inbound routes matching properly with some VoIP providers.

If you want to allow inbound SIP URI calling into your box you need to define some URI usernames and manually add these to the FreePBX config files.

sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #441115 18-Feb-2011 12:12
Send private message

Unless you have outbound DISA set then it's unlikely they've compromised your system. They've simply SIP URI called your system and hit your inbound call routing so unless you've changed things and created any other loopholes the damage they could do would be do different to somebody calling your PSTN number and hitting the same inbound call routing.

grkiwi

68 posts

Master Geek


  #441116 18-Feb-2011 12:13
Send private message

sbiddle:
grkiwi: Just realized I had

PBX->PBX Configuration->Allow anonymous inbound SIP calls to YES

Changed to NO now... let's see if this keeps them out...


Setting this to YES is the simplest way to get hacked. Many people set it to yes because they can't get their inbound routes matching properly with some VoIP providers.

If you want to allow inbound SIP URI calling into your box you need to define some URI usernames and manually add these to the FreePBX config files.


Unfortunately it was pure ignorance in my part. The default was YES and I haden't looked into it... till now...

grkiwi

68 posts

Master Geek


  #441117 18-Feb-2011 12:16
Send private message

sbiddle: Unless you have outbound DISA set then it's unlikely they've compromised your system. They've simply SIP URI called your system and hit your inbound call routing so unless you've changed things and created any other loopholes the damage they could do would be do different to somebody calling your PSTN number and hitting the same inbound call routing.


No DISA set here... so probably no harm done... :-) Thanks for that!

Create new topic





News and reviews »

One New Zealand Extends 3G Switch-off Date
Posted 11-Apr-2024 08:56


Amazon Echo Hub Review
Posted 10-Apr-2024 18:57


Epson Launches New Versatile A4 Desktop Scanners
Posted 10-Apr-2024 15:31


Motorola Mobility Launches New Android Phones in New Zealand
Posted 10-Apr-2024 14:59


Logitech G Unveils the PRO X 60 Gaming Keyboard
Posted 9-Apr-2024 19:01


Logitech Unveils Signature Slim Keyboard and Combo
Posted 9-Apr-2024 13:33


ExpressVPN Launches Aircove Go Portable Router With Built-in VPN
Posted 26-Mar-2024 21:25


Shure MoveMic Review
Posted 25-Mar-2024 12:47


reMarkable 2 Launches at JB Hi-Fi New Zealand
Posted 20-Mar-2024 08:36


Samsung Galaxy S24 Ultra review
Posted 19-Mar-2024 11:37


Google Nest Wifi Pro Review
Posted 16-Mar-2024 11:28


Samsung Galaxy A55 5G and Galaxy A35 5G
Posted 12-Mar-2024 12:41


Cricut EasyPress Mini Zen Blue launches at Spotlight New Zealand
Posted 12-Mar-2024 12:32


Logitech Introduces MX Brio Webcam
Posted 12-Mar-2024 12:24


HP Unveils Broadest Consumer Portfolio of AI-Enhanced Laptops
Posted 3-Mar-2024 18:09









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac